Re: [Users] Another Sentinel<->Freeswan Certificate Problem

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Fri Aug 02 2002 - 08:53:16 CEST

• Next message: Igmar Palsenberg: "Re: [Users] Using RPM.."
• Previous message: Nayar, Deep: "[Users] Problems in setting host to host ESP IPSEC transport mode connect ion ..."
• In reply to: Andreas.Mueller_at_varetis.de: "[Users] Another Sentinel<->Freeswan Certificate Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Andreas.Mueller_at_varetis.de wrote:
>
> Hello,
>
> concerning a W2k+Sentinel to Suse 8.0+freeswan VPN:
> basically, i dont get certificates accepted on the sentinel side, but
> its a bit more complicated.
>
> All udp 500 esp 50 ah 51 are getting through the router.
>
> First, i started with plain W2k to Freeswan with Marcus tool, and could
> set up a working tunnel with
> openssl-created certificates. So i knew, that the certificates were ok
> (i followed vpn.ebootis.de).
> Then, i came to the point, that i need the "virtual ip address" feature
> of sentinel.
> So i removed the ipsec setup on the notebook and installed sentinel, and
> tried to get it
> running with the previously created certificates for the
> plain2k<->freeswan setup.
>
> The diagnostic of sentinel tells me, that it is possible to establish a
> connection to my gateway.
>
> Everything worked like described in the documents (eg "ssh sentinel 1.3
> and frees/wan ipsec") found
> at www.ssh.com. I also did a pretty complete RTFM.
> But IKE-Phase1 fails somewhere on the sentinel-side.
>
> On the Freeswan side, i get:
>
> Aug 1 17:57:25 lovelace Pluto[8272]: "andreasmueller" 212.144.145.70
> #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Aug 1 17:57:25 lovelace Pluto[8272]: "andreasmueller" 212.144.145.70
> #1: Peer ID is ID_DER_ASN1_DN: 'O=varetis, OU=ti,
> CN=andreas.mueller_at_varetis.com'
> Aug 1 17:57:25 lovelace Pluto[8272]: "andreasmueller" 212.144.145.70
> #1: multiple ipsec.secrets entries with distinct secrets match
> endpoints: first secret used

This warning probably means that the FreeS/WAN certificate which is
sent to Sentinel does not have a matching private key in ipsec.secrets.
Therefore FreeS/WAN signs with the wrong key

> Aug 1 17:57:25 lovelace Pluto[8272]: "andreasmueller" 212.144.145.70
> #1: sent MR3, ISAKMP SA established
> Aug 1 17:57:26 lovelace Pluto[8272]: "andreasmueller" 212.144.145.70
> #1: Informational Exchange message for an established ISAKMP SA must be
> encrypted
>
> The 4th line looks like everything is ok for freeswan. The 5th line
> possible is the outcome of the error on the freeswan side.
>
>
> On the sentinel side, i get in the detailed ike-log:
>
> Decoded ID =der_asn1_dn(any:0,[0..134]=C=DE and so on (its the
> cert of the root CA)

You are sending the CA certificate to Sentinel instead of
FreeS/WAN's host certificate. This is fundamentally wrong.

> SPD: Can not determine per-rule trusted CA root set for remote identity
> der_asn1_dn...... (like above) . Using only globally trusted roots.
> Then a few cryptic lines, and finally a
> IP;Signature check failed.

This was to be expected. You send the CA cert but sign with
some other private key.

> Phase-1 [initioator] between ...local der_asn1_dn... and ipv4 ...
> (external gateway-address) failed;invalid signature
>
> I tried
> a) working with the certificates from the previously working plain W2k
> setup.
> b) working with openssl created certifiactes as described in chapter 6.2
> of "SSH Sentinel 1.3 and FreeS/WAN IPSec"
> c) working with the certificate created by sentinel, as described in
> chapter 6.1 of the manual
> None worked.
>
> The certificates are always imported from floppy as described.
> I did import the root CA certificate.
>
> Network:
>
> internalNet-router-VPNGateway-Router-Internet-Roadwarrior
>
> Finally, the ipsec.conf (its still pretty close to the working plain2k
> setup):
>
>
> conn %default
> disablearrivalcheck=no
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> pfs=yes
> compress=no
> authby=rsasig
> auth=esp
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> right=VPNGateway-external
> rightnexthop=border-router internal
> rightsubnet=internal
> rightcert=cacerts/cacert.pem

Wrong. Should be
           rightcert=clientcerts/freeswanCert.pem

> left=%any
> auto=add
>
>
> conn andreasmueller
> type=tunnel
> leftsubnet=private virtual address as entered manually in the
> sentinel setup/32
> leftcert=clientcerts/andreasmuellerCert.pem

> keyingtries=1
>
>
>
> Are there any hints ?
>
Throw out any private keys you have in ipsec.secrets and import
a single private key:

: RSA freeswanKey.pem "<optional passphrase>"
<don't forget to terminate the line with a newline character>

>
> Thanks
>
> --
> Andreas Mueller
> varetis AG
> E-mail: andreas.mueller_at_varetis.de

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Igmar Palsenberg: "Re: [Users] Using RPM.."
• Previous message: Nayar, Deep: "[Users] Problems in setting host to host ESP IPSEC transport mode connect ion ..."
• In reply to: Andreas.Mueller_at_varetis.de: "[Users] Another Sentinel<->Freeswan Certificate Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:35 CEST